Article

Lessons learned from security breaches

Major cybersecurity breaches have become alarmingly frequent. While they aren’t good news for the organisations affected, they are an opportunity to learn.

By Tim Ferguson

Thu 22 Feb 2018 @ 10:00

Rarely does a month go by without a major cybersecurity breach hitting the headlines. The evolution of advanced malware and increasingly sophisticated tactics used by cybercriminals mean it’s getting harder than ever to stop compromises taking place.

But there are always lessons to be learned from the successful breaches. These lessons can help businesses mitigate the impact of attacks today and strengthen their defences against future threats.

Below are some key lessons that can be learned through staying aware of successful breaches and trends in the cybersecurity landscape.

Stay on top of vulnerabilities

Most organisations now have basic security hygiene in place. Needless to say, system administrators need to update server software such as operating systems, web applications and plugins on a regular basis. But recent breaches have brought shortcomings in this practice into sharp focus.

In May 2017, the WannaCry ransomware strain hit hundreds of thousands of targets around the world, including the UK’s NHS. The extent of its reach was due in part to the EternalBlue

Windows vulnerability that had been released by hacking group Shadow Brokers the month before.

Microsoft had released a patch for the bug in March, but many organisations failed to apply it,

leaving them open to the impact of WannaCry.

Petya/NotPetya soon followed, using another Shadow Brokers exploit to impact Ukrainian infrastructure and huge companies such as shipping giant Maersk.

The WannaCry and Petya/NonPetya outbreaks demonstrated the speed at which cybercriminals will

take advantage of tools that become available.

IT departments must have a robust process in place to become aware of security vulnerabilities as they are disclosed – and to apply patches as soon as they’re available.

Focus on employee training

Phishing remains one of the most common techniques used in attacks. The Verizon 2017 Data Breach Investigations Report found that email was the number-one delivery vector for malware. One reason for this is that cybercriminals are stepping up their efforts around social engineering.

Two-thirds of organisations have fallen victim to social engineering attacks, while whaling/CEO fraud is becoming increasingly common as a way to dupe individuals into making payments into the accounts of cybercriminals.

Attackers perceive end users as a weak link in security within organisations, whether unwittingly or not. As a result, all staff need to be trained effectively to spot the warning signs.

But it seems traditional security training can only go so far, so the use of gamification techniques to make training more engaging is becoming increasingly common.

Defined by Gartner as “the use of game mechanics and experience design to digitally engage and motivate people to achieve their goals”, gamification is being successfully used by the likes of Ford, Deloitte and PwC to make their workforces more security-savvy.

Don’t brush a breach under the carpet

Towards the end of 2017, Uber acknowledged that a major data leak had compromised 57 million user accounts. The company also admitted it had paid hackers $100,000 to conceal and destroy the stolen data.

The way Uber dealt with the breach led to its chief security officer leaving his post and resulted in an investor consortium offering 30 per cent less than share value for a stake in the company.

A similar incident occurred when credit-rating agency Equifax waited until September 2017 to report a hack of 143 million personal information records that had taken place in July of that year.

The company’s CEO, CIO and CSO all resigned once it became clear that there had been a delay in reporting the incident. The company also incurred costs of $87m as a result of the breach. Today, numerous government investigations are ongoing related to the incident.

It is likely the impact of these breaches wouldn’t have been so severe if these organisations had been upfront about them. The resulting fallout has had a detrimental effect on reputational trust as much as on revenue and other costs.

Businesses should therefore be transparent when they suffer a security breach. This is particularly important considering the arrival of the GDPR in May this year, after which breaches involving the data of EU nationals need to be reported within 72 hours.

Get more sophisticated

In general, recent breaches suggest that many organisations need to become more sophisticated in their security capabilities.

With phishing, for example, two-factor authentication can severely reduce risks, as it makes stolen credentials extremely difficult to use. And mobile devices increasingly linked into corporate networks should be encrypted to ensure confidential data that’s contained, communicated and accessed by them is difficult for third parties to obtain.

Segmented corporate networks, with authentication required to move between segments, would also make it harder for attackers to get at the data they’re after, making it too costly and time-consuming for them to pursue.

At the very least, organisations need to be diligent about updating critical systems with the latest patches. They need to be committed to developing and delivering effective cybersecurity training to the workforce. And they must have plans in place for how to report and respond to successful breaches.

Beyond that, it’s also smart to have a security incident and event management (SIEM) system in place, with relevant network monitoring and user and entity behaviour analytics (UEBA). Such systems will leave organisations much better prepared to rapidly detect and respond to compromises when they do take place.